During the war, the number of attack attempts against Israeli websites has spiked dramatically.
To help us defend ourselves, I'm sharing some practical insights I've gathered over time about securing my own websites and those of my clients.
Have additional tips or comments? Feel free to share them with everyone in the comments.
Recommended steps for protecting WordPress sites (and beyond):
1. **Most critical! 2FA** — Enable two-factor authentication on everything related to your site: your hosting provider's control panel, the site's admin dashboard, and everywhere else possible. This is the single best protection available today against cyberattacks.
2. **Almost as critical: backups** — Set up an automated backup system for your site that also sends backups to a separate storage server. If you lose your web server along with all the backups on it, you need an alternative.
Every few months, download a backup copy to your computer and save it on a hard drive that is not connected to the internet, just to be safe.
3. **Manage users and access** — In the IT world there's a principle called the "principle of least privilege." It means every user is granted the lowest permission level possible — so, for example, the site's marketing person gets store-manager permissions rather than admin permissions if admin access isn't needed.
It's equally important to actively manage users: remove admin-level accounts that are no longer necessary, require strong passwords and two-factor authentication, and close sessions for admin accounts that are not in active use.
4. **Apply the automatic security recommendations of your site management platform** — Platforms such as cPanel have a built-in system for detecting security vulnerabilities, such as missing updates or outdated versions of WordPress, plugins, PHP, MySQL, and so on.
You can apply the recommendations with a single click — you just need to actually do it every now and then.
5. **A security plugin — for example, Wordfence** — This is not a luxury. You'll quickly start receiving reports from the plugin that will show you just how much your site is being attacked, even when you had no idea.
6. **Bot protection, reCAPTCHA** — With v3, the protection is completely invisible to the user, but when enabled on forms, user registration, and the admin login page, it can block a huge number of password-guessing attacks.
7. **Hiding your IP address via a proxy (not an Iranian one** 😉**)** — It's recommended to route your domain through Cloudflare so that your site's original IP address is concealed. Additional benefits include improved performance and DDoS attack mitigation.
8. **Geolocation blocking** — If your site targets only one country or a handful of countries, there's no reason to allow access from elsewhere. Blocking other regions will significantly reduce the number of attack attempts, which typically originate outside Israel.
9. **Using a .com TLD and a non-Israeli server** — In the wider world, many people don't like us. Israel is a country whose infrastructure is attacked far more than that of most other nations. If your site is hosted outside Israel and its domain extension is not .co.il, it will be at considerably lower risk.
10. **When you lock the door, make sure to close the window too** — There are many ways to access your site: through the server's operating system, the web hosting platform, the cPanel account, the WordPress admin page, FTP, SSH, and phpMyAdmin for the databases.
Even if you've closed most of the doors, as long as one of these windows remains open, someone will try to exploit it — and may eventually succeed.
May we know quieter and better days — together we will prevail!
#cybersecurity #wordpresssecurity